[VulnWatch] Medium Risk Vulnerability in PGP Desktop

From: NGSSoftware Insight Security Research (nisr@private)
Date: Thu Jan 25 2007 - 14:30:50 PST


Peter Winter-Smith of NGSSoftware has discovered a medium risk vulnerability
in PGP Desktop which can allow a remote authenticated attacker to execute
arbitrary code on a system on which PGP Desktop is installed.

The vulnerability resides within the Windows Service which PGP Desktop
installs (which operates under the Local System account), and as such it may
be used by any local or remote user (who must be a member of at least the
Everyone/ANONYMOUS LOGON groups) to run code with escalated privileges. NGS
have not been able to exploit this issue in the context of a NULL session.

The details of this issue are as follows:

PGP Desktop installs a service (PGPServ.exe/PGPsdkServ.exe) which exposes a
named pipe '\pipe\pgpserv' (or '\pipe\pgpsdkserv' for the PGPsdkServ.exe
instance). This pipe is the endpoint for an RPC interface
(uuid:15cd3850-28ca-11ce-a4e8-00aa006116cb) which takes the following
format:

[ uuid(15cd3850-28ca-11ce-a4e8-00aa006116cb),
  version(1.0),
  implicit_handle(handle_t rpc_binding)
] interface pgpsdkserv
{
  error_status_t Function_00(
        [in] /* [ignore] void * */ long element_1
  );

  typedef struct {
    long element_2;
    [size_is(element_2)] [unique] byte *element_3;
  } TYPE_1;

  error_status_t Function_01(
        [in] /* [ignore] void * */ long element_4,
        [in] [size_is(element_6)] byte element_5[*],
        [in] long element_6,
        [in] long element_7,
       [out] [ref] TYPE_1 *element_8
  );
}

This interface is used to marshall various objects and information between
PGP clients (PGP.dll/PGPsdk.dll) and the PGP service.

The vulnerability occurs as a result of the fact that the code responsible
for processing the objects which are passed over the interface to the
service does not perform any kind of validation on these objects, and
instead trusts that object data is completely safe in the form that it is
received (i.e., absolute pointers are trusted without validation).

NGS have discovered that if the following object is passed over the
interface as the second parameter to function ordinal 1, an absolute pointer
is trusted and executed - easily facilitating arbitrary code execution
inside of the PGP service process:

/*

structure passed over rpc:
    struct {
        DWORD **pprgMM; // set as absolute pointer to dwUnknown_1
        DWORD dwUnknown_1; // set as absolute pointer to 'rgMM'
        DWORD dwCount; // set to value 0
        DWORD dwFGUB_signature; // set to value 'FGUB'
        DWORD dwUnknown_2; // set to value 'rgMM'
        DWORD dwUnknown_3;
        DWORD dwUnknown_4;
        DWORD dwUnknown_5;
        DWORD dwUnknown_6;
        PBYTE pbFunction; // set to absolute address of shellcode
        // etc...
    };

*/

This issue has been resolved as of PGP Desktop 9.5.1 and NGS recommend that
all users download the updated version from the PGP website:

http://www.pgp.com/

NGSSoftware Insight Security Research
http://www.ngssoftware.com
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070


--
E-MAIL DISCLAIMER

The information contained in this email and any subsequent
correspondence is private, is solely for the intended recipient(s) and
may contain confidential or privileged information. For those other than
the intended recipient(s), any disclosure, copying, distribution, or any
other action taken, or omitted to be taken, in reliance on such
information is prohibited and may be unlawful. If you are not the
intended recipient and have received this message in error, please
inform the sender and delete this mail and any attachments.

The views expressed in this email do not necessarily reflect NGS policy.
NGS accepts no liability or responsibility for any onward transmission
or use of emails and attachments having left the NGS domain.

NGS and NGSSoftware are trading names of Next Generation Security
Software Ltd. Registered office address: 52 Throwley Way, Sutton, SM1
4BF with Company Number 04225835 and VAT Number 783096402



This archive was generated by hypermail 2.1.3 : Thu Jan 25 2007 - 15:49:18 PST